b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n\n        Reducing Over\xcd\x88classification of DHS\xe2\x80\x99 \n\n           National Security Information\n\n\n\n\n\nOIG-13-106                                August 2013\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n                                Washington, DC 20528 I www.oig.dhs.gov\n\n                                 August 2, 2013\n\nMEMORANDUM FOR:               The Honorable Rafael Borras\n                              Under Secretary of Management\n                              Department of Homeland Security\n\nFROM:                         Charles K. Edwards             /?{ I J-. cJ         C:~\n                              Deputy Inspector General       ~~\' \\ \' ~\nSUBJECT:                      Reducing Over-classification of DHS\' National Security\n                              Information\n\nAttached for your information is our final report, Reducing Over-classification of DHS\'\nNational Security Information. We incorporated the formal comments from the\nDepartment in the final report.\n\nThe report contains two recommendations to aid the efforts of the Office of Management\nand the Office of the Chief Security Officer to enhance the program\'s overall effectiveness.\nThe Department concurred with both recommendations and, based on information\nprovided in the Department\'s response, we consider all recommendations to be open and\nresolved.\n\nAs prescribed by the Department of Homeland Security Directive 077-01, Follow-Up and\nResolutions for Office of Inspector General Report Recommendations, within 90 days of the\ndate of this memorandum, please provide our office with a written response that includes\nyour (1) agreement or disagreement, (2) corrective action plan, and (3) target completion\ndate for each recommendation. Also, please include responsible parties and any other\nsupporting documentation necessary to inform us about the current status of the\nrecommendation.\n\nPlease email a signed PDF copy of all responses and closeout requests to the Office of\nInspections at OIGinspectionsFollowup@oig.dhs.gov. Until your response is received and\nevaluated, the recommendations will be considered resolved and open.\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies\nof our report to appropriate congressional committees with oversight and appropriation\nresponsibility over the Department of Homeland Security. We will post the report on our\nwebsite for public dissemination.\n\nPlease call me with any questions, or your staff may contact Deborah L. Outten-Mills, Acting\nInspector General for Inspections, at (202) 254-4015, or Anthony D. Crawford, Intelligence\nOfficer, at (202) 254-4027.\n\nAttachment\n\n\n\n\n                                             2\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n\nTable of Contents\n\n\nExecutive Summary ............................................................................................................ 1 \n\n\n\nBackground ........................................................................................................................ 2 \n\n\n\nResults of Review ................................................................................................................ 5 \n\n\n\n       General Program Management ............................................................................. 6 \n\n        \n\n       Security Program Management .............................................................................. 7 \n\n       Recommendation.................................................................................................. 12 \n\n       Management Comments and OIG Analysis .......................................................... 13 \n\n        \n\n       Original Classification Authority ........................................................................... 13 \n\n        \n\n       Original Classification and Dissemination of Control Marking Decisions ............. 14 \n\n        \n\n       Derivative Classification and Dissemination of Control Marking Decisions ......... 15 \n\n        \n\n       Security Self-inspection Program.......................................................................... 16 \n\n        \n\n       Security Reporting................................................................................................. 17 \n\n       Recommendation.................................................................................................. 19 \n\n       Management Comments and OIG Analysis .......................................................... 19 \n\n        \n\n       Security Education and Training ........................................................................... 19 \n\n        \n\n       Intelligence Community Cross-cutting Issues....................................................... 21 \n\n\n\n\n\nwww.oig.dhs.gov                                                                                                    OIG-13-106 \n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\nAppendixes\n       Appendix A:   Objectives, Scope, and Methodology ............................................ 23\n       Appendix B:   Recommendations ......................................................................... 24\n       Appendix C:   Management Comments to the Draft Report ............................... 25\n       Appendix D:   Document Review Results ............................................................. 27\n       Appendix E:   Major Contributors to This Report ................................................ 29\n       Appendix F:   Report Distribution ........................................................................ 30\n\nAbbreviations\n       ASD            Administrative Security Division\n       CAPCO          Controlled Access Program Coordination Office\n       CBT            computer-based training\n       CCSO           Component Chief Security Officer\n       CFR            Code of Federal Regulations\n       CIAO           Classified Information Advisory Officer\n       CMT            Classification Management Tool\n       DHS            Department of Homeland Security\n       DNDO           Domestic Nuclear Detection Office\n       E.O.           Executive Order\n       FCGR           Fundamental Classification Guidance Review\n       I&A            Office of Intelligence and Analysis\n       IC             intelligence community\n       ICD            Intelligence Community Directive\n       IPAG           Intelligence Policy Advisory Group\n       ISOO           Information Security Oversight Office\n       LMS            Learning Management System\n       NPPD           National Protection and Programs Directorate\n       NSI            national security information\n       OCA            original classification authority\n       OCSO           Office of the Chief Security Officer\n       ODNI           Office of the Director of National Intelligence\n       OIG            Office of Inspector General\n       P.L.           Public Law\n       SCG            security classification guide\n       SCR            security compliance review\n       S&T            Science and Technology Directorate\n       STWG           Security Training Working Group\n       USCG           U.S. Coast Guard\n       USSS           United States Secret Service\n\nwww.oig.dhs.gov                                                                                    OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nExecutive Summary\nThe Department of Homeland Security (DHS) creates, receives, handles, and stores\nclassified information as part of its homeland security, emergency response, and\ncontinuity missions. As creators and users of classified information, DHS is responsible\nfor both implementing national policies and establishing departmental policies, to\nensure that such information is adequately safeguarded when necessary and\nappropriately shared whenever possible. With proper classification of intelligence\nproducts, DHS can share more information with State, local, and tribal entities, as well\nas the private sector.\n\nThe Reducing Over-Classification Act of October 2010 (Public Law 111-258) requires the\nDHS Secretary to develop a strategy to prevent the over-classification and promote the\nsharing of homeland security and other information. This is the first of two reviews we\nare mandated to conduct under this act.\n\nSpecifically, we assessed the overall state of the DHS national security information\nprogram and reviewed 13 DHS components to determine whether applicable\nclassification policies, procedures, rules, and regulations have been adopted, followed,\nand effectively administered. We also identified policies, procedures, rules, regulations,\nand management practices that may be contributing to persistent misclassification. We\ncoordinated with other Offices of Inspector General and the Information Security\nOversight Office of the National Archives and Records Administration to ensure that our\nreview\xe2\x80\x99s evaluations followed a consistent methodology that allowed for cross-agency\ncomparisons.\n\nAs a result of our review, we determined that DHS has adopted and successfully\nimplemented all policies and procedures required by applicable Federal regulations and\nintelligence community directives. Through implementing Office of the Chief Security\nOfficer\xe2\x80\x99s policies and procedures, DHS has a strong program that should lead to better\ncommunication and sharing of intelligence throughout the Federal Government and with\nState, local, and tribal entities, as well as private sector partners. However, the\nDepartment\xe2\x80\x99s program can be strengthened by deploying a new classification management\ntool after testing, and by capturing all classified holdings better. We are making two\nrecommendations that when implemented will improve the Department\xe2\x80\x99s overall\nmanagement of its classification processes. The Department concurred with both\nrecommendations.\n\n\n\n\n                                            1\nwww.oig.dhs.gov                                                               OIG-13-106\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nBackground\nSince 1940, executive orders have directed government-wide classification standards\nand procedures. On December 29, 2009, President Obama signed Executive Order\n(E.O.) 13526, Classified National Security Information (order), which establishes the\ncurrent principles, policies, and procedures for classification. The order prescribes a\nuniform system to classify, safeguard, and declassify national security information (NSI).\nAccording to the order, the Nation\xe2\x80\x99s progress depends on the free flow of information\nwithin the Federal Government and to the public. Protecting information critical to\nnational security and demonstrating a commitment to open government through\naccurate and accountable application of classification standards and routine, secure,\nand effective declassification are equally important priorities. Misclassification of\nnational security information impedes effective information sharing and may provide\nadversaries with information that could harm the United States and its allies and cause\nmillions of dollars in avoidable administrative costs.\n\nAccording to the order, information that is determined to require protection from\nunauthorized disclosure in order to prevent damage to national security must be\nmarked appropriately to indicate its classification. The expected damage to national\nsecurity determines the classification level, as follows:\n\n   \xe2\x80\xa2\t Top Secret \xe2\x80\x93 applied to information, the unauthorized disclosure of which could\n      reasonably be expected to cause exceptionally grave damage to national security\n      that the original classification authority is able to identify or describe.\n   \xe2\x80\xa2\t Secret \xe2\x80\x93 applied to information, the unauthorized disclosure of which could\n      reasonably be expected to cause serious damage to national security that the\n      original classification authority is able to identify or describe.\n   \xe2\x80\xa2\t Confidential \xe2\x80\x93 applied to information, the unauthorized disclosure of which\n      could reasonably be expected to cause damage to national security that the\n      original classification authority is able to identify or describe.\n\nAlso according to the order, no other terms are to be used to identify U.S. classified\ninformation, except as otherwise provided by statute. If significant doubt exists about\nthe need to classify or the appropriate level of classification, the information shall not\nbe classified or shall be classified at the lower level.\n\nOnly original classification authorities (OCAs) authorized in writing by the President, the\nVice President, or agency heads or other officials designated by the President may\noriginally classify information. Prior to originally classifying information, OCAs must be\ntrained on proper classification, and they must be trained at least once per year\n\n\n                                             2\n\nwww.oig.dhs.gov\t                                                                OIG-13-106 \n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nthereafter. To make an original classification decision, an OCA must determine whether\nthe information meets the following standards for classification:\n\n   \xe2\x80\xa2\t The information is owned, controlled, or produced by or for the Federal \n\n      Government; \n\n   \xe2\x80\xa2\t The information falls within one or more of the eight categories (reasons for\n      classification) of information described in Section 1.4 of E.O. 13526; and\n   \xe2\x80\xa2\t The unauthorized disclosure of the information reasonably could be expected to\n      result in damage to national security that the OCA is able to identify or describe.\n\nOriginal classification precedes all other aspects of the security classification system,\nincluding derivative classification, safeguarding, and declassification.\n\nAs an OCA, so delegated by the President, the DHS Secretary has the authority to classify\ninformation pursuant to classification standards cited in the order, and to further\ndelegate such authority to additional DHS officials. The Secretary has delegated\nclassification authority to designated subordinate officials who need to exercise this\nauthority.\n\nDerivative classification means incorporating, paraphrasing, restating, or generating in\nnew form information that is already classified, and marking the newly developed\nmaterial according to classification markings that apply to the source information.\nDerivative classification includes the classification of information based on classification\nguidance. The duplication or reproduction of existing classified information is not\nderivative classification.\n\nPersonnel who apply derivative classification markings must be trained to apply the\nprinciples of E.O. 13526 prior to derivatively classifying information and at least once\nevery 2 years thereafter. Information may be derivatively classified from a source\ndocument or documents, or by using a classification guide.\n\nAuthorized holders of information (including holders outside the classifying\norganization) who believe that a classification is improper are encouraged and expected\nto challenge the classification status of the information.\n\nFederal Government departments and agencies that create or hold classified\ninformation are responsible for its proper management. Classification management\nincludes developing classification guides with OCA instructions for derivative classifiers\nthat identify information on specific subjects that must be classified, as well as the level\nand duration of classification. Applying standard classification and control markings is\none of the most effective ways to uniformly and consistently identify and protect\n\n\n                                              3\n\nwww.oig.dhs.gov\t                                                                 OIG-13-106 \n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nclassified information. Effective program management also includes comprehensive \n\nmandatory training for classifiers and a comprehensive self-inspection program. \n\n\nFederal Government departments and agencies also may have systems of restrictive \n\ncaveats that can be added to documents. These restrictions are not classifications;\n\nrather, they limit the dissemination of information.\n\n\nOver-classification is defined as classifying information that does not meet one or more \n\nof the standards necessary for classification under E.O. 13526. Over-classification \n\nresults in the unnecessary protection of information that is not sensitive, and inhibits \n\nthe sharing of critical information. \n\n\nThe Reducing Over-Classification Act of October 2010 requires the DHS Secretary to \n\ndevelop a strategy to prevent the over-classification and promote the sharing of \n\nhomeland security and other information. This is the first of two reviews the act \n\nmandates. Specifically, we assessed whether DHS Headquarters and its components \n\nand offices have adopted, followed, and effectively administered applicable \n\nclassification policies, procedures, rules, and regulations; identified policies, procedures, \n\nrules, regulations, or management practices that may be contributing to persistent \n\nmisclassification; and coordinated with other Inspectors General and the Information\n\nSecurity Oversight Office (ISOO) to ensure that our evaluations followed a consistent \n\nmethodology that allowed for cross-agency comparisons.1\n\n\nWe reviewed the DHS Office of the Chief Security Officer (OCSO) and the following 13 \n\nDHS components that are able to handle, produce, and classify information: \n\n\nDomestic Nuclear Detection Office (DNDO) \n\nFederal Emergency Management Agency\n\nFederal Law Enforcement Training Center\n\nNational Protection and Programs Directorate (NPPD) \n\nOffice of Inspector General (OIG) \n\nOffice of Intelligence and Analysis (I&A) \n\nScience and Technology Directorate (S&T) \n\nTransportation Security Administration\n\nU.S. Citizenship and Immigration Services\nU.S. Coast Guard (USCG)\nU.S. Customs and Border Protection\nU.S. Immigration and Customs Enforcement\n\n1\n ISOO, a component of the National Archives and Records Administration, is responsible to the President\nfor policy and oversight of the government-wide security classification system and the National Industrial\nSecurity Program. ISOO receives policy and program guidance from the National Security Council.\n\n                                                    4\n\nwww.oig.dhs.gov                                                                              OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nUnited States Secret Service (USSS)\n\n\nResults of Review\nThis is the first of two reports required by Section 6(b) of the Reducing Over-\nClassification Act, which mandates that OIGs of Federal departments and agencies with\nofficers or employees authorized to make original classifications (1) assess whether\napplicable classification policies, procedures, rules, and regulations have been adopted,\nfollowed, and effectively administered within the department or agency; and (2) identify\npolicies, procedures, rules, regulations, or management practices that may be\ncontributing to persistent misclassification of material. The act was designed to prevent\nover-classification and over-compartmentalization of information, while promoting the\nsharing and declassifying of it, as prescribed by Federal guidelines. In this report, we\naddress areas of classification management and control marking programs. For the\nsecond report, which is due on September 30, 2016, we will focus on follow-up efforts\nto this report\xe2\x80\x99s recommendations.\n\nIn assessing the DHS program, we reviewed the classification management and control\nmarking programs of the OCSO and 13 components to ensure that they have the\nnecessary resources to implement programs effectively, records systems are designed\nand maintained to optimize appropriate sharing and safeguarding of classified\ninformation, and senior agency officials are designated to direct and administer\nprograms.\n\nDHS OCSO and its components have implemented, managed, and provided oversight\neffectively for a classified National Security Information program as outlined in E.O.\n13526, Classified National Security Information; Public Law (P.L.) 111-258, Reducing\nOver-Classification Act; 32 Code of Federal Regulations (CFR), Part 2001; and Intelligence\nCommunity Directive (ICD) Number 710, Classification and Control Markings System,\nSeptember 2009. Specifically, the OCSO has created and implemented policies and\nprocedures that established a firm foundation for DHS. DHS has met the program\nmanagement, classification management, security education and training, and self-\ninspections requirements as specified in E.O. 13526 and 32 CFR, Part 2001. The\nDepartment has also fulfilled the requirements for classification guides, as well as\noriginal and derivative classification authorities, and how to challenge incorrect\nclassifications.\n\nHowever, we identified areas where improvements are needed. For example, 59 of the\n372 DHS documents we reviewed contained declassification, sourcing, and marking\nerrors. Also, all Classification Management Tools (CMTs) were outdated, which led to\n\n                                            5\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\ndeclassification errors. Errors could lead to documents not being shared or being shared\nwith personnel not cleared to handle them. DHS could also improve its collection of\ncomponent information on classified holdings and its original and derivative\nclassification decisions.\n\n       General Program Management\n\n       Program Management Overview\n\n       The Administrative Security Division (ASD) in the OCSO of the Management\n       Directorate directs and implements DHS\xe2\x80\x99 National Security Information Program.\n       Under the authority of the E.O., the Secretary has appointed the DHS Chief\n       Security Officer as the Department\xe2\x80\x99s senior agency official with responsibility for\n       ensuring the program is in compliance with all Federal directives, policies, and\n       laws, and is adopted and implemented by all DHS components that handle and\n       classify national security information.\n\n       ASD and senior management create and implement classification policies for all\n       DHS components and for all State, local, tribal, and private sector entities as the\n       policies relate to Homeland Security. Senior management direction has enabled\n       ASD to instruct DHS components and ensure that the Department is in\n       compliance with all policies. Coordination among senior management, the\n       OCSO, and Component Chief Security Officers (CCSOs) in components and offices\n       has enhanced the proper classification, declassification, handling, and\n       safeguarding of information. Senior management is apprised of all security\n       policy changes, and reviews all reported security violations and self-inspection\n       results.\n\n       DHS Instruction 121-01-011 specifies the procedures and requirements for\n       classification challenges, sanctions, self-inspections, reporting and definitions,\n       and security training. Eight of the 13 components and offices that we reviewed\n       have CCSOs who oversee their respective programs and implement changes to\n       instructions from the OCSO. The other five Headquarters offices\xe2\x80\x94DNDO, NPPD,\n       OIG, I&A, and S&T\xe2\x80\x94have internal security staff and, with the exception of OIG,\n       OCSO security support embedded within the offices to assist with\n       implementation and oversight of security matters.\n\n       DHS CCSO\xe2\x80\x99s and other invited officials meet once a quarter to discuss security\n       issues and policy changes. DHS uses various working groups, such as the group\n       that creates instructional documents for the NSI program. I&A and the USCG\n       also attend the Classification Management Intelligence Working Group and\n       Classification Management Tools Working Group as members of the Intelligence\n\n                                            6\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       Community (IC). These working groups have led to improvements in security\n       classification guides and training, and have enhanced the Department\xe2\x80\x99s\n       classification culture.\n\n       Security Program Management\n\n       According to ISOO\xe2\x80\x99s October 2008 evaluation of DHS\xe2\x80\x99 information security\n       program, DHS\xe2\x80\x99 oversight and consistent implementation of the program\n       complied with applicable policies and regulations. However, ISOO identified\n       weaknesses in classification markings, self-inspections, and personnel\n       performance plans.\n\n       This section will focus on the core issues of security program management,\n       including DHS\xe2\x80\x99 responsibilities in implementing its security program in\n       compliance with E.O. 13526. These include the agency head\xe2\x80\x99s responsibility to\n       support the program and the responsibility of the senior agency official\n       designated by the agency head to direct and administer the program. DHS has\n       an appointed senior agency official to direct and administer the program, whose\n       responsibilities include the following:\n\n           \xe2\x80\xa2\t Overseeing the program established under E.O. 13526;\n           \xe2\x80\xa2\t Issuing implementing regulations;\n           \xe2\x80\xa2\t Establishing and maintaining security education and training programs;\n           \xe2\x80\xa2\t Establishing and maintaining an ongoing self-inspection program;\n           \xe2\x80\xa2\t Ensuring that the designation and management of classified information\n              is included as a critical rating element for OCAs, security managers or\n              security specialists, and all other personnel whose duties significantly\n              involve the creation or handling of classified information, including those\n              who apply derivative classification markings; and\n           \xe2\x80\xa2\t Establishing a secure capability to receive information, allegations, or\n              complaints regarding over-classification or incorrect classification within\n              the agency and providing guidance to personnel on proper classification,\n              as needed.\n\n       Classification Management and Control Marking Policies\n\n       DHS has adopted and implemented effectively all critical elements required for\n       applicable classification policies, procedures, rules, and regulations in E.O. 13526\n       and 32 CFR, Part 2001. Subsequent to the issuance of the E.O. in 2009, DHS\n       revised and consolidated existing administrative information security policies\n\n\n                                            7\n\nwww.oig.dhs.gov\t                                                               OIG-13-106 \n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n           into a single Department-wide instruction that reflected and effectively\n           implemented changes resulting from publication of the E.O.\n\n           As required by the Reducing Over-Classification Act, DHS appointed a Classified\n           Information Advisory Officer (CIAO) to assist in sharing information with State,\n           local, and tribal entities; law enforcement; and the private sector.2 DHS\n           appointed a CIAO in November 2010 and submitted written notification to the\n           U.S. Senate Homeland Security and Governmental Affairs Committee and House\n           Committee on Homeland Security. The CIAO\xe2\x80\x99s duties include those described in\n           the act and E.O. 13549, Classified National Security Information Program for\n           State, Local, Tribal, and Private Sector Entities, and the implementing directive\n           for E.O. 13549 approved by the Secretary in February 2012. Before passage of\n           the act, DHS made efforts to educate State and local partners in the\n           identification, classification, safeguarding, and handling of classified information,\n           and it continues to do so.\n\n           ASD\xe2\x80\x99s DHS Instruction 121-01-011, The Department of Homeland Security\n           Administrative Security Program, of April 2011, establishes procedures, program\n           responsibilities, minimum standards, and reporting protocols for DHS. The\n           instruction cites E.O. 13526 and 32 CFR, Part 2001 for authorization of its NSI\n           program. DHS also follows all Controlled Access Program Coordination Office\n           (CAPCO) instructions for classified markings in ICD 710, where required.\n\n           DHS Instruction 121-01-011 does not address special access programs, which are\n           governed by DHS Directive 140-04, Special Access Program Management, and\n           DHS Instruction 140-04-001, Special Access Program Implementation. These are\n           reviewed annually in compliance with E.O. 13526.\n\n           All 13 DHS components and offices that we reviewed have adopted and\n           implemented the policies and procedures required in DHS Instruction 121-01-\n           011. CCSOs agree that the DHS instructions provide the necessary information\n           for efficient and effective security programs. Only USSS and the USCG have\n           developed supplemental instructions related to their specific security programs;\n           the Federal Law Enforcement Training Center is developing a security policy as a\n           subset to the DHS instruction.\n\n           DHS has published 6 CFR, Part 7, which covers DHS-classified NSI and is currently\n           awaiting Office of General Counsel approval for an updated version to be in\n           compliance with E.O. 13526.\n\n\n2\n    P.L. 111-258, Reducing Over-Classification Act, Section 4(a).\n\n                                                        8\n\nwww.oig.dhs.gov                                                                     OIG-13-106 \n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n       OCSO senior management stated that reducing over-classification is important,\n       and has demonstrated the Department\xe2\x80\x99s successful adaptation and\n       implementation of the security program established in E.O. 13526. DHS\xe2\x80\x99\n       commitment to ensuring that the security program is implemented effectively as\n       established under this order is evident throughout the Department\xe2\x80\x99s\n       components and offices.\n\n       Classification Management Tools\n\n       CMTs allow users to automatically apply classification markings to electronic\n       documents. Not all DHS components are using CMTs, and where a CMT is used it\n       has not been updated to reflect changes resulting from the publication of E.O.\n       13526. Thus, DHS\xe2\x80\x99 use of CMTs is not in complete compliance with E.O. 13526,\n       and classifiers may be incorrectly classifying or declassifying information in their\n       documents. We believe that the new CMT will reduce errors in classification and\n       declassification and eliminate some current marking issues.\n\n       During our document review, we also identified a problem with using a specific\n       declassification exemption called 50X1-HUM.3 Documents that should have\n       been marked 50X1-HUM were marked with either a numerical 50-year date or\n       \xe2\x80\x9c25x1\xe2\x80\x9d and a 50-year date. This problem stems from current CMTs not allowing\n       the use of 50X1-HUM as the proper classification.\n\n       In addition, in some components and offices, CMTs do not allow for changes to\n       classification carried over from the source. Some CMTs also do not offer proper\n       exemptions, which results in extended declassification dates, and do not prompt\n       users to mark portions of the body of an email.\n\n       A CMT should allow a user to apply correctly formatted classification markings to\n       electronic documents automatically. Based on classification criteria the user\n       selects, the CMT automatically generates portion markings, a classification\n       banner (header and footer), and a classification authority block to cover original\n       and derivative information. The CMT also allows the user to validate the portion\n       marks against the banner, ensuring marking consistency and more effective\n       protection of national security.\n\n       DHS is currently testing a new CMT developed by the IC, which may be used for\n       all DHS components with C-LAN access. The new CMT is in accordance with E.O.\n\n       3\n        50X1-HUM is a term used for an exemption to declassifying information after 50 years, which is\n       the timeframe in E.O. 13526 and 32 CFR, Part 2001. It reflects a decision by the Interagency\n       Security Classification Appeals Panel to classify information beyond 50 years.\n\n                                                 9\n\nwww.oig.dhs.gov                                                                          OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       13526; 32 CFR, Part 2001; and CAPCO guidance. DHS has adopted the IC format,\n       but has also included specific caveats and security classifications guides (SCGs)\n       for DHS missions. The tool is still in its pilot stage; therefore, only a few select\n       employees from nine components have access to it. The new CMT provides all\n       appropriate exemptions, allowing for a proper declassification date, and it\n       enables users to change the classification levels of emails to reflect new ones; it\n       also prompts users to mark portions of documents.\n\n       Challenging Classification\n\n       In accordance with E.O. 13526, DHS Instruction 121-01-011 includes procedures\n       for informally and formally challenging the classification status of information,\n       noting that all DHS employees and contractors may challenge any classification\n       that they believe might be over- or under-classified.\n\n       DHS senior management we interviewed believes that challenging the\n       classification status of information is part of an employee\xe2\x80\x99s job. When asked, 90\n       out of 100 DHS derivative classifier interviewees said that they believed offering\n       incentives may lead to unnecessary challenges, and challenges will be raised not\n       in the spirit of reducing classification but for incentive reasons.\n\n       An authorized holder of classified information is not prohibited from informally\n       questioning the classification of information through direct and informal contact\n       with the classifier. All persons interviewed said they preferred informal\n       questioning for handling classification challenges, but they recognized this does\n       not always solve the issue and a formal process may be necessary.\n\n       The DHS instruction includes a process for formal challenges. Formal challenges\n       must be written and presented to an OCA with jurisdiction over the challenged\n       information. The OCA then must provide a written classification or\n       declassification decision to the challenger within 60 days of receipt. The\n       individual submitting the challenge has a right to appeal the decision to the\n       Interagency Security Classification Appeals Panel established by Section 5.3 of\n       E.O. 13526 and/or the DHS Chief Security Officer acting as the senior agency\n       official, who convenes a DHS Classification Appeals Panel. Individuals who\n       challenge classifications are not subject to retribution. ASD honors a challenger\xe2\x80\x99s\n       request for anonymity and serves as his or her agent in processing the challenge.\n       DHS has a secure capability to receive information, allegations, or classification\n       challenges.\n\n\n\n\n                                            10\n\nwww.oig.dhs.gov                                                                OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       ASD and CCSOs should continue communicating to employees the importance of\n       challenging the classification status of information to both protect and promote\n       the sharing of information.\n\n       Security Violations and Sanctions\n\n       We determined that DHS Instruction 121-01-011 is in compliance with E.O.\n       13526 as it relates to security violations and sanctions. The DHS instruction\n       includes a process for handling security violations and sanctioning violators.\n\n       According to the E.O., the agency head, senior agency official, or other\n       supervisory official should, at a minimum, promptly remove the classification\n       authority of any individual who demonstrates reckless disregard or a pattern of\n       error in applying the classification standards of this E.O. Incidents involving the\n       mishandling or compromise of classified information must be reported promptly\n       to the servicing security official and investigated thoroughly to determine the\n       cause. Security officials must assess and mitigate potential damage, and\n       implement measures to prevent recurrence. The agency head or senior agency\n       official must take appropriate and prompt corrective action and notify the\n       Director of ISOO when certain violations occur.\n\n       The DHS instruction also includes information on reporting a security incident,\n       reportable security incidents, security inquiries, and what constitutes a formal\n       investigation. It covers incidents involving classified information within\n       information technology systems, security violations and infractions in foreign\n       countries, other agency security violations and infractions, and sanctions.\n\n       To conduct a proper inquiry or investigation and respond to possible security\n       incidents, DHS components and offices gather and include key information, such\n       as names, dates, causes, and mitigation efforts in the Security Inquiry Reports.\n       Once completed, a report is forwarded to the official(s) with jurisdiction over the\n       component or office where the security incident occurred, as well as the\n       person(s) involved, for further action as appropriate. A copy of the report is also\n       forwarded to the servicing personnel security office, where it is filed within the\n       personnel security folder of the individual(s) found to be culpable for\n       commission of the incident.\n\n       According to the instruction, sanctions may include verbal or written counseling,\n       reprimand, suspension from duty with or without pay, removal, or revocation of\n       access to classified information, termination of classification authority, or\n       criminal penalties. Administrative sanctions are assessed in accordance with the\n       policies, procedures, and practices established by the human capital office in the\n\n                                           11\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       component or office. Security clearances must be revoked or suspended in\n       accordance with applicable E.O.s and Office of the Director of National\n       Intelligence (ODNI) policies and regulations.\n\n       When a proposed sanction associated with the unauthorized disclosure of\n       classified information exceeds a reprimand, the matter must be coordinated\n       with the DHS Office of General Counsel. Further, if there is an allegation that a\n       criminal violation has occurred, the matter is coordinated with the Office of\n       General Counsel and the Department of Justice.\n\n       Recommendation\n\n       We recommend that the Office of Management:\n\n       Recommendation #1: Ensure that DHS fully deploys the new Classification\n       Management Tool to all DHS components and offices when pilot testing is\n       completed.\n\n       Management Comments and OIG Analysis\n\n       We evaluated the Department\xe2\x80\x99s written response and have made changes to the\n       report where we deemed appropriate. A summary of the Department\xe2\x80\x99s written\n       response to the report recommendations and our analysis of the response\n       follows each recommendation. A copy of DHS\xe2\x80\x99 response, in its entirety, is\n       included as appendix C.\n\n       In addition, we received technical comments from the Department and\n       incorporated these into the report where appropriate. DHS concurred with all\n       recommendations in the report. We appreciate the comments and contributions\n       made by DHS.\n\n       Management Response: Office of Management officials concurred with\n       recommendation 1. In its response, the Office of Management said that the\n       CMT pilot phase of testing is being finalized, and the funded purchase request\n       for DHS to procure the CMT is processing through the procurement system to\n       create an interagency agreement with the owning agency to be completed\n       within the coming weeks. The Office of the Chief Information Officer will\n       proceed with full deployment of the tool to the top secret and secret networks.\n       Concurrent with full deployment, OCSO will conduct initial individualized training\n       essential to the successful deployment and use of the CMT. The Office of\n       Management estimates a completion date of February 28, 2014.\n\n\n                                           12\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       OIG Analysis: We consider the Office of Management\xe2\x80\x99s actions responsive to\n       the intent of Recommendation 1, which is resolved and open. This\n       recommendation will remain open pending full deployment of CMT.\n\n       Original Classification Authority\n\n       We determined that the DHS Secretary, in accordance with Federal guidance,\n       designated OCAs to determine the original classification of documents. We\n       determined that the OCAs are following processes described in E.O. 13526 and\n       32 CFR, Part 2001 for making original classification decisions.\n\n       Original Classification Authority Designation\n\n       In accordance with Section 1.3 of E.O. 13526 and 32 CFR Section 2001.11, the\n       DHS Secretary designates various DHS officials who are authorized to classify\n       national security information. In DHS Delegation 8100, version 5, Delegation of\n       Original Classification Authority, issued in June 2010, the DHS Secretary\n       delegated original classification authority for Top Secret, Secret, and Confidential\n       to 18 OCAs; 7 OCAs were delegated authority for Secret and Confidential. DHS\n       reports OCA delegations to the Director of ISOO annually, as directed by Federal\n       policies. Designating OCAs by position ensures clarity and continuity of\n       classification responsibilities; if a person in a position delegated as an OCA\n       cannot fulfill the duty or leaves the position, the successor inherits the duty and\n       responsibilities of the OCA.\n\n       Original Classification Authority Program Training and Knowledge\n\n       All OCAs have received annual training as prescribed in E.O. 13526 and 32 CFR,\n       Part 2001. At the time of this report, DNDO\xe2\x80\x99s OCA was scheduled for training.\n       The training covers duties and responsibilities of an OCA and the proper\n       application of classification markings. According to DHS Instruction 121-01-011,\n       authority will be suspended for OCAs who fail to complete OCA training annually\n       or in a timely manner.\n\n       The two OCAs we interviewed were knowledgeable about their duties and\n       responsibilities in executing their mission. They were able to identify and\n       describe the different types of damage to national security in cases of\n       unauthorized disclosure of Top Secret, Secret, or Confidential information. The\n       OCAs also understood that if their duties are not carried out as stated in E.O.\n       13526 or the CFR, they could be subjected to sanctions that include reprimand,\n       suspension without pay, removal, loss of classification authority, loss or denial of\n\n\n                                            13\n\nwww.oig.dhs.gov                                                                OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       access to classified information, or other sanctions in accordance with applicable\n       laws and Department regulations. Also, that their OCA authority may be\n       suspended if they do not receive training in a timely manner.\n\n       We interviewed two OCAs that said they made original classification decisions\n       within the past year. The original classification documents we reviewed were in\n       accordance with Section 1.4 of E.O. 13526, which specifies the types of\n       information that should be considered for classification.\n\n       Most DHS components and offices are consumers of intelligence information and\n       rarely have to make original classification decisions. In fact, few DHS OCAs have\n       made original classification decisions. Although OCAs may make few or no\n       original classification decisions in a year, some have published and must\n       maintain security classification guidance and OCAs must be available to address\n       classification-related questions. As such, the current number of DHS OCAs is\n       consistent with the need for OCAs as stipulated in E.O. 13526.\n\n       Original Classification and Dissemination of Control Marking Decisions\n\n       To communicate an original classification decision, the information to which the\n       decision applies, the classification level, declassification instructions, and any\n       other special instructions, security classification guides are written and approved\n       by the OCA. SCGs provide requirements and standards for classifying\n       information related to a department or agency\xe2\x80\x99s mission. According to E.O.\n       13526, information should be considered for classification if it covers specific\n       categories, or if the compilation of related information meets the order\xe2\x80\x99s defined\n       standards and criteria for classification and it falls under one or more of the\n       categories of information listed in Section 1.4 of the order.\n\n       We determined that the eight SCGs we reviewed are in accordance with all\n       policies, procedures, rules, and regulations. OCSO efforts for DHS components\n       to write streamlined and uniform SCGs have led to a reduction of SCGs for the\n       Department.\n\n       As of July 2012, DHS has 45 SCGs, down from 74 the previous year. The eight\n       SCGs that we reviewed contained information related to the types, topics,\n       reasons, levels, and duration of classifications, as described in E.O. 13526. All\n       SCGs we reviewed were signed by an OCA delegated by the DHS Secretary. As\n       per DHS Instructions, the OCSO maintains a master index of all DHS-published\n       SCGs. OCSO initiates a review of the Department\xe2\x80\x99s SCGs at least every 5 years,\n       which is in compliance with 32 CFR, Part 2001.\n\n\n                                           14\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n       Derivative Classification and Dissemination of Control Marking Decisions \n\n\n       DHS is a vast consumer of intelligence information and the majority of DHS\n       intelligence products are derivatively classified. Through interviews with 100\n       derivative classifiers department-wide, we determined that 95 of them are able\n       to derivatively classify information properly, and have an overall understanding\n       of the derivative classification process.\n\n       We determined that DHS Instruction 121-01-011 covers the use and inclusion of\n       source materials and determining correct classification and declassification for\n       derivative classifiers to make a decision. It also includes information on using\n       technical documents or notes, foreign government information, and transmittal\n       documents. Each section of the instruction describes the requirements for\n       classification, as well as means of reducing over-classification, as specified in E.O.\n       13526 and 32 CFR, Part 2001.\n\n       According to the CCSOs and the personnel we interviewed, all had received\n       training in the past 2 years and had received annual refresher training. They\n       received classification training at the DHS Entry-on-Board course, through\n       training by DHS security trainers and Special Security Officer trainers, online,\n       through video teleconferencing, or via compact disks.\n\n       The derivative classifiers that we interviewed said that the required 2-year\n       annual training for derivative classifiers and the annual refresher training are\n       helpful in their classification duties. All individuals, except one, believed that\n       training was adequate in teaching them how to make derivative classification\n       decisions and how to apply classification markings properly. Eighty interviewees\n       noted that they would like more hands-on training to ensure they could classify\n       information properly.\n\n       All DHS derivative classifiers interviewed were able to define their\n       responsibilities for derivative classification and the differences between\n       derivative and original classification. They explained the key elements included\n       in marking classified documents and handling caveats for their respective\n       component and in compliance with CAPCO guidance.\n\n       All personnel knew how to determine declassification dates for documents\n       derived from multiple sources or that carried forward multiple dates. Most\n       determined that they would use a matrix approach to ensure they were\n       capturing all dates and exemption categories.\n\n\n\n                                            15\n\nwww.oig.dhs.gov                                                                  OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       When asked what derivative classifiers should do if they encountered\n       information that they believed should be classified and is not, all answered that\n       they would first secure the document to the level they think it should be\n       classified. Next, they would contact the originating source to determine why it\n       was not classified. If the originating source could not answer, they would\n       contact their Senior Security Officer for clarification and to determine whether\n       an OCA could classify the information.\n\n       The staff we interviewed knew whether their component or office had an OCA\n       and SCGs. However, 15 of the 75 personnel whom we interviewed at\n       components with SCGs had not used the guides because they have not seen\n       them.\n\n       All persons interviewed knew and were trained on the process of formally or\n       informally challenging a classification, but some stated that they would be\n       reluctant to disagree with the originator\xe2\x80\x99s classification. They did not fear\n       retribution from senior management, but they did not believe that they were\n       experts in challenging classifications.\n\n       The derivative classifiers we interviewed believe that senior management and\n       policies are sufficient to create, protect, and disseminate classified documents.\n       The derivative classifiers stated that they had seen improvement in security\n       practices, classifying, and marking of documents.\n\n       Security Self-Inspection Program\n\n       According to the 2008 ISOO On-site Review of DHS, its security compliance\n       review (SCR) program, which includes the self-inspection program, was one of\n       the weaker areas of the Department\xe2\x80\x99s NSI program. However, we determined\n       that the security compliance review program, specifically the self-inspection\n       program, is one of the strongest parts of the program now. Each DHS\n       component and office that generates classified information is required to\n       establish a self-inspection program. The self-inspection includes reviews of\n       original classification, derivative classification, declassification, safeguarding,\n       security violations, security education and training, and management and\n       oversight, to ensure compliance with E.O. 13526 and 32 CFR, Part 2001. During\n       self-inspections, components and offices examine classified products, email, and\n       presentations for proper classifications and markings. We verified that the OCSO\n       and the 13 components and offices we reviewed had conducted SCRs or self-\n       inspections and sent their findings to senior leadership within the past 12\n       months.\n\n\n                                           16\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       ASD created and disseminates to the components a standardized checklist for\n       their use in conducting a self-inspection once a year. Further, ASD conducts a\n       compliance review of each component program once every 18 months.\n       Component or office heads or designated Senior Security Officers may conduct\n       unlimited self-inspections. The SCR team from ASD inspects every aspect of the\n       NSI program and interviews personnel to gauge their understanding of policies\n       and procedures in handling, safeguarding, and classifying information.\n\n       SCRs conducted by the SCR team or self-inspections by CCSOs include personal\n       interviews with derivative classifiers to determine whether they are aware of\n       their responsibilities for reducing over-classification and to determine their\n       knowledge of proper markings. Part of each inspection is a classification review\n       of a sample set of documents and a security check to determine whether proper\n       security procedures are followed. Upon completion of the SCR or self-\n       inspection, the results are compiled into a single report, which is presented to\n       senior management. Reports are also sent to inspected areas so that necessary\n       corrections can be made.\n\n       ASD provides its compliance review findings to component or office senior\n       management and gives them a timeframe to respond with corrective measures.\n       In accordance with E.O. 13526, ASD provides ISOO with an annual report\n       reflecting the status of the DHS self-inspection and SCR programs.\n\n       Classified Document Review\n\n       We determined that DHS is doing a good job of applying classification to their\n       documents as spelled out in the order and CFR. In our review, of the 372\n       classified documents, 59 or approximately 16 percent contained errors. For\n       example, 23 documents had incorrect declassification dates and 14 were missing\n       information on the classifier. Incorrect declassification dates could affect the use\n       and sharing of information; not naming the classifier could call into question\n       whether the individual had the proper authority to classify the document.\n       Although most errors were minor and could have been avoided if classifiers were\n       more precise, until DHS has a new CMT, these issues will likely continue.\n\n       Security Reporting\n\n       As required by E.O. 13526 and 32 CFR, Part 2001, DHS has provided all statistical\n       reports to ISOO on classification activities, costs, fundamental classification\n       guidance reviews, self-inspections, and security violations in a timely manner.\n\n\n\n\n                                           17\n\nwww.oig.dhs.gov                                                                OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n       Fundamental Classification Guidance Review\n\n       The Fundamental Classification Guidance Review (FCGR) serves as a benchmark\n       for Federal agencies to ensure proper classification of information vital to\n       national security, while expediting declassification by avoiding over-classification\n       and unnecessary withholding of records. Accurate and current classification\n       guides also ensure standardized classification within and across Federal agencies.\n       Overall, our review shows that DHS is streamlining classification guidance and\n       more clearly identifying categories of what can be released and what needs to\n       remain classified.\n\n       In 2012, DHS conducted a FCGR of all 74 of its existing SCGs and reported the\n       results to ISOO in July 2012. Of the 74 SCGs, 45 were revised, revalidated, and\n       reissued; 16 were canceled; 11 were merged or absorbed into other guides; and\n       2 were transferred to other agencies. The 45 SCGs equated to a 39 percent\n       reduction. Additionally, the DHS publications Security Classification Guides \xe2\x80\x93 A\n       Guide for Writing a DHS Security Classification Guide and Original Classification \xe2\x80\x93\n       A Guide for Original Classification Authorities were revised and reissued to\n       ensure consistency with and reflect changes resulting from the publication of\n       E.O. 13526.\n\n       Classification Statistics Report\n\n       Although DHS reports security classification program statistics to ISOO as\n       required by E.O. 13526 and 32 CFR, Part 2001, these statistics may not be\n       accurate. DHS captures this classification information on the SF 311 Agency\n       Security Classification Management Program Data form. Each DHS component\n       and office compiles statistics and submits a single SF 311 form; the OCSO then\n       compiles the statistics into one overall DHS report. Because of the increased use\n       of the electronic environment to share and disseminate information, DHS\n       includes in its statistics all classification decisions, regardless of media. Two\n       CCSOs believe that the estimates on SF 311 forms may not be as accurate as they\n       could be because, although the OCSO gives general directions on using the\n       forms, each component and office has its own system for compiling statistics. By\n       not having a standard way to collect statistics, DHS may not be able to report a\n       true representation of its classified holdings or decisions.\n\n       Cost Estimate Report\n\n       As required by E.O. 13526, DHS submitted a cost estimate for classification-\n       related activities in fiscal year 2012, SF 176, Cost Estimate Report, to ISOO in\n\n\n                                            18\n\nwww.oig.dhs.gov                                                                 OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       February 2013. The report was based on information provided by DHS\n       components and offices.\n\n       Recommendation\n\n       We recommend that the Office of the Chief Security Officer:\n\n       Recommendation #2: Create and implement a standard method for\n       components to collect and report information for the SF 311 Agency Security\n       Classification Management Program Data form.\n\n       Management Comments and OIG Analysis\n\n       Management Response: OCSO officials concurred with recommendation 2. In\n       its response, OCSO said that it will explore the feasibility of creating a\n       standardized method of accounting for classification decisions. OCSO stated that\n       the accuracy and reliability of data reported through the SF 311 report is\n       currently under discussion among reporting agencies within the executive\n       branch, under the leadership of ISOO. OCSO will continue to support the ISOO in\n       resolving reliability and accuracy issues of this reporting requirement. Pending\n       any changes to the reporting criteria stipulated by ISOO, OCSO will coordinate\n       with DHS Component Chief Security Officials to evaluate the feasibility of\n       creating a standard DHS method for collecting the data. OCSO estimates a\n       completion date of September 30, 2013.\n\n       OIG Analysis: We consider the Office of Management\xe2\x80\x99s actions responsive to\n       the intent of recommendation 2, which is resolved and open. This\n       recommendation will remain open pending documentation of new reporting\n       criteria directed by ISOO or by OCSO for the Department.\n\n\n       Security Education and Training\n\n       DHS classification training has been developed in accordance with E.O. 13526\n       and 32 CFR, Part 2001. The ASD Security Training Branch leads a working group\n       that includes attendees from each component and office, to create standardized\n       training for the entire Department.\n\n       The DHS Security Education and Training Awareness program encompasses\n       initial training, annual refresher training, and specialized training for OCAs and\n       those who apply derivative classification markings, as well as termination\n       briefings, designed to:\n                                            19\n\nwww.oig.dhs.gov                                                                 OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n           \xe2\x80\xa2\t Ensure that all employees who create, process, or handle classified\n              information have a satisfactory knowledge and understanding of\n              classification, safeguarding, and declassification policies and procedures;\n           \xe2\x80\xa2\t Increase uniformity in the conduct of agency security education and\n              training programs; and\n           \xe2\x80\xa2\t Reduce instances of over-classification or improper classification,\n              improper safeguarding, and inappropriate or inadequate declassification\n              practices.\n\n       The Security Training Branch has created, implemented, and conducted\n       adequate original and derivative classification training that is up-to-date and in\n       compliance with E.O. 13526 and 32 CFR, Part 2001. According to training\n       management personnel we interviewed, derivative training is accessible and\n       held more frequently than initially indicated by component and office employees\n       we interviewed. During compliance reviews, ISOO has commended DHS training\n       management for its successful work for conducting and implementing training.\n       The only inhibiting factor is the shortage of staff; however, the office has been\n       able to disseminate training to all domestic DHS components and offices and to\n       international offices.\n\n       The Security Training Branch conducts derivative and original classification\n       training, but DHS also has \xe2\x80\x9ctrain the trainer\xe2\x80\x9d programs to assist CCSOs in training\n       to their employees. In addition, the division offers a 2-hour in-person seminar\n       for all DHS employees that can also be conducted as a webinar for personnel in\n       the field or overseas and for senior management. Security Training Branch\n       management pointed out that this training has reached every State and a large\n       number of international posts, and that other Federal partner agencies use it to\n       train personnel with clearances.\n\n       DHS has determined that any individuals who do or may perform a derivative\n       classification action and individuals with access to classified systems shall be\n       considered derivative classifiers and as such are mandated to attend derivative\n       classifier training. Some components train all security clearance holders and\n       some train only those needing access to C-LAN or the Homeland Secure Data\n       Network classified data systems.\n\n       The Security Training Branch chairs the Security Training Working Group (STWG),\n       which is comprised of security personnel from each component and various\n       other security personnel. The STWG has standardized the derivative\n       classification training department-wide. The training is now given in three\n       venues; instructor-led (in person), Webinar (a combination of personnel use\n       their computers to connect to the Homeland Security Information Network and a\n                                           20\n\nwww.oig.dhs.gov\t                                                              OIG-13-106 \n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n       phone bridge), and computer-based training (CBT). The CBT was developed by\n       the Security Training Branch and USSS and met 508 compliance standards, which\n       are federally mandated for creating accessible content for people that use\n       assistive technologies.\n\n       The CBT was disseminated to the components to load on their Learning\n       Management Systems (LMS) to provide training. The CBT was able to be loaded\n       onto the USSS LMS with no USSS 508 compliance issues; however, the CBT was\n       not able to be loaded onto headquarters LMS due to not meeting headquarters\n       508 compliance standards. DHS personnel can still load the CBT compact disk on\n       their desktop computers to receive the training.\n\n       Security Training Branch personnel stated that Section 508 compliance standards\n       for component LMS seem to be less stringent than those for the headquarters\n       LMS \xe2\x80\x9cDHScovery.\xe2\x80\x9d Training management would recommend that a section be\n       dedicated to creating 508-compliant software training agency-wide, which would\n       assist in more efficient, internal training software development. The derivative\n       training is recorded in the Information Security Management System for all DHS\n       personnel who receive the training and additionally in DHScovery for Federal\n       headquarters personnel. All components also track completion of their\n       employees in their respective training management systems.\n\n       Intelligence Community Cross-cutting Issues\n\n\n       I&A and the USCG are the DHS representatives to the IC, and we determined\n       that there are no major issues with the IC as it relates to classification\n       management policies and procedures. The only issue our IC members may have\n       is with the possible single IC classification guide described in the Intelligence\n       Community Classification Guidance Findings and Recommendations Report of\n       January 2008, which included recommendations to move the IC toward common\n       guidelines. DHS IC members believe that a single classification guide will have to\n       take into account the different missions of IC members and unique access to\n       sources and methods. DHS IC components believe the most significant benefit of\n       a single classification guide would be the standardization of classification that\n       transcends IC elements and is consistent and uniform.4\n\n\n\n\n       4\n        ODNI has an ongoing effort to create a single classification guide that would standardize the\n       framework of all guides, provide standard definitions for the concepts behind information that\n       needs to be protected, and describe damage to national security.\n\n                                                 21\n\nwww.oig.dhs.gov                                                                           OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n       I&A and the USCG maintain websites that provide access to electronic versions\n       of ODNI updated policies and manuals. Personnel with the proper security\n       clearances and a need to know have access to all policies and manuals via the C-\n       LAN and the secret network. DHS has received all current and updated versions\n       of ODNI and CAPCO policies through the Intelligence Policy Advisory Group\n       (IPAG). The IPAG affords DHS the opportunity to provide feedback concerning\n       DHS equities on all ODNI draft policies.\n\n       I&A and USCG IC representatives believe that the continuance of establishing\n       and maintaining standard classification markings and formats that are consistent\n       with national policies and the statutory missions of IC members will enhance\n       information protection and dissemination.\n\n\n\n\n                                          22\n\nwww.oig.dhs.gov                                                             OIG-13-106 \n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix A\nObjectives, Scope, and Methodology\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis review was included in the OIG Fiscal Year 2013 Annual Performance Plan. Our\nobjectives were to assess whether applicable classification policies, procedures, rules,\nand regulations have been adopted, followed, and effectively administered within DHS\nand to identify policies, procedures, rules, regulations, or management practices that\nmay be contributing to persistent misclassification of material.\n\nWe conducted our fieldwork from September 2012 to February 2013 and interviewed\nsecurity managers and original and derivative classifiers; we reviewed documents from\nDHS headquarters and 13 components and offices.\n\nWe conducted this review under the authority of the Inspector General Act of 1978, as\namended, and according to the Quality Standards for Inspection and Evaluation issued\nby the Council of the Inspectors General on Integrity and Efficiency.\n\n\n\n\n                                           23\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix B\nRecommendations\nWe recommend that the Office of Management:\n\nRecommendation #1: Ensure that DHS fully deploys the new Classification\nManagement Tool to all DHS components and offices when pilot testing is completed.\n\nWe recommend that the Office of the Chief Security Officer:\n\nRecommendation #2: Create and implement a standard method for components to\ncollect and report information for the SF 311 Agency Security Classification\nManagement Program Data form.\n\n\n\n\n                                          24\n\nwww.oig.dhs.gov                                                          OIG-13-106 \n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nAppendix C\nManagement Comments to the Draft Report\n\n                                                                                 U.S. OcpartJHcnt of t-lomcland Sccurit}\n                                                                                 \\\\.\':\'i<::hingf+\'ln,   nc 70~/JI.\n\n\n                                                                                Homeland\n                                                                                Security\n                                                       June 28, 2013\n\n\n          ME\'vlORANDUM FOR              Charle~   K. Erlwarcis\n                                        Deputy Inspector General\n                                        Office oflnspeclur General\n\n           FRO \'vi:                     Jim H. Crumpacker ~((\'z-L-\n                                        Director                  ~\n                                        Departmental GAO-Ot Liaison Of tee\n\n           SUBJECT:                     OIG Draft Report, "Reducing Over-classification of DHS National\n                                        Security Information" (Project \'\\o . 12- 161-ISP}\n\n\n           l11ank you for the oppmtunity to review and comment on this draft report. The U.S Department of\n           Humelancl Security (DHS) appreciates the Office oflnspector General\'s (OIG\'s) work in platming\n           and conducting its review and issuing this report.\n\n           The Department is pleased to note the 010 "determined that DHS has adopted ;md successfully\n           implemented all policies and procedures required by applicable Federal rt:gulations and intdligence\n           community directives." We also appreciate OIG\'s recognition that the DHS Office of the Chief\n           Security Officer (OCSO), within the Management Directorate, and DHS components have\n           "effectively implemented, managed, and provided oversight for a classified National Security\n           infonnation program." DHS leadership remains committed to maintaining a vital, robust, credible,\n           und proactive program for the administration and management of programs associated with the\n           protection of classtficd and sensitive but unclassified information.\n\n           The draft report contained two recommendations with which the Department concurs. Spccitlcally.\n           OIG recommended :\n\n           Recommendation 1: That the DHS Offict: uf Management ensure that DHS fully rleplnys the new\n           Classification Management Tool to all DHS components and offiees when pilot testing is completed.\n\n           Response: Concur. DHS Office of Intelligence and Analysis (!&A), through the National Security\n           Systems- Joint Program Management Office (NSS-JPMO), and implemented by the Entt:rprist:\n           Networked Support Services of Enterprise Services Division of the DHS Office of the Chief\n           Information Officer\'s (OCIO) IT Services Office, is finaliz ing the pilot phase of testing the\n           Classification Management Tool (CMT). The CMT is a standardized automated marking tool\n           created for use throughout the Intelligence Community. The funded purchase request for DHS to\n           procure the CMT is making its way through the procurement system to create an inter-agency\n           agreement with the owning agency and is expected to be completed within the coming weeks. Upon\n           receipt of payment, OCIO will proceed with full deployment of the tool to the Homeland Secure\n\n\n\n\n                                                            25\n\nwww.oig.dhs.gov                                                                                                      OIG-13-106 \n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n\n\n                                 1             2\n           Data "\'etwork (HSDN) and C-LAN networks. Concurrent with full deployment and for a period of\n           time thereafter, OCSO will a lso conduct initiill individualized training essential to the successful\n           deployment and use of the tool. Estimated Completion Date (ECD): February 28,20 14.\n\n           Recommendation 2: OlG also rec;ummemkd that the Ofli~.:e ufthe Chief Security Officer create\n           and implement a standard method fo r components to collect and report information for the SF 3 11\n           Agency Security Classification Management Program Data form.\n\n           Response:    Concur. A standardized method of accounting for classification decisions may increase\n           the accuracy and reliability of the final count provided to the Information Security Oversight Oft1ce\n           (ISOO) as part of the annual reporting requirement, and, OCSO will exp lore the feasibility of\n           creating ~uch a standard. However, the accuracy and reliability of data reported tlu-ough the Sf\' 3 11\n           report is a matter c urrently under discussion amongst reporting agencies w ithin the executive branch\n           under the leadership of ISOO. The purpose ofthc discussion is to assess and re-evaluate the\n           methods and criteria tor collecting the data, particularly as it relates to classification decisions made\n           and classified information processed within an electronic environment. OCSO will continue to\n           support the rsoo in its efforts to resolve long-standing issues associated with the reliability ttnd\n           accuracy of this important reporting requirement and will follow their !earl in the puhl ication of any\n           subst:quent pul i ~.:y ur guidance. Pending any changes to the reporting c1iteria stipulated by ISOO,\n           OCSO will, in coordination with DHS Component Security Ofticials, evaluate the feasibility of\n           creating a standard DHS method for collecting the data. ECD : September 30, 20 13.\n\n            Again, thank you for the opportunity to review and comment on this draft report. Technical\n            comments were previously submitted under separate cuvt:r. Please f~::d fre~:: to contact me if you\n            have any questions_ We look forward to working with you in the future.\n\n\n\n\n            \' The HSDN is a classified wide-area network utilized by th e Department, th e Components, and other partners.\n            2\n              The C-LAN is DHS\'s t op secret network_\n\n                                                                      2\n\n\n\n\n                                                                26\n\nwww.oig.dhs.gov                                                                                                              OIG-13-106\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\nAppendix D\nDocument Review Results\n                 OFFICE OF INSPECTOR GENERAL-OFFICE OF INSPECTIONS\n                        CLASSIFIED DOCUMENT REVIEW RESULTS\n                       U.S. DEPARTMENT OF HOMELAND SECURITY\n\n\n\nLEVEL OF CLASSIFICATION\n\nTop Secret                                                      60\nSensitive Compartmented Information                              4\nSecret                                                         265\nConfidential                                                    43\nTOTAL                                                          372\n\nTYPE OF DOCUMENT\n\nCable/Message                                                   66\nMemo/Letter                                                     14\nElectronic Media/Email/Slide Presentations                      64\nReports                                                        121\nOther (Intelligence Assessments and Notes,\nBriefings, Issue Papers, Talking Points)                       107\nTOTAL                                                          372\n\nBASIS FOR CLASSIFICATION\n\nClassification Guide                                            80\nMultiple Sources                                               215\nSingle Source/Other                                             77\nTOTAL                                                          372\n\nDURATION OF CLASSIFICATION\n\nDeclassification less than 10 years                              0\nDeclassification 10 years                                       30\nDeclassification >10 years, <25 years                           69\nDeclassification 25 years                                      101\n25X1 \xe2\x80\x93 25X9                                                     22\n50X1 \xe2\x80\x93 HUM or 50X2 \xe2\x80\x93 WMD                                       114\nSource Marked X1 \xe2\x80\x93 X8 (valid use)                                1\nInvalid Use of X1- X8                                            0\nOther Invalid Marking                                           18\nNot Indicated                                                   17\nTOTAL                                                          372\n\n\nDISCREPANCIES\n\nDeclassification                                                23\nUnknown Basis for Classification/\xe2\x80\x9cDerived From\xe2\x80\x9d Line             4\n\n                                                   27\nwww.oig.dhs.gov                                                       OIG-13-106\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\xe2\x80\x9cClassified By\xe2\x80\x9d Line- Derivative Classification                  14\nPortion Marking                                                   3\nMultiple Sources Not Listed                                       7\nMarking                                                           4\nOriginal/Derivative                                               0\n\xe2\x80\x9cReason\xe2\x80\x9d Line                                                     2\nDuration                                                          2\nTOTAL                                                            59\n\n\n\n\n                                                  28\nwww.oig.dhs.gov                                                        OIG-13-106\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix E\nMajor Contributors to This Report\nDeborah L. Outten-Mills, Acting Assistant Inspector General for Inspections\nAnthony D. Crawford, Team Lead, Intelligence Officer\nRyan P. Cassidy, Program Analyst\n\n\n\n\n                                           29\n\nwww.oig.dhs.gov                                                               OIG-13-106 \n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\nAppendix F\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nDHS Management Liaison\nActing Chief Privacy Officer\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCommittee on Homeland Security and Government Affairs\nSelect Committee on Intelligence\nCommittee on Homeland Security\nCommittee on Oversight and Government Reform\nPermanent Select Committee on Intelligence\n\n\n\n\n                                              30\n\nwww.oig.dhs.gov                                                  OIG-13-106 \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'